What is the difference between Authentication and Authorization?

Authentication refers to the process of proving claimed identity of an entity whereas authorization defines the tasks that an authenticated entity can perform, and identifies the resources that can be accessed by the entity as well.

Authentication and Authorization are core elements in the IAAA identity and access management scheme. The four attributes are complementary with each other. In order to have robust authentication system, we need to have proper identification in place. In order to authorize or give permission for entities to gain access to resources, you need dependable authentication techniques first. And in order to held entities accountable for their actions, you need to have valid identification, authentication, and authorization mechanism. Moreover, we need to have multi-factor authentication systems to strengthen security of systems.

In authentication, we aspire establish mechanisms so that entities shall prove who they claim they are. We can do with something you know, something you have and something you are factors

During authorization we grant or deny permissions to the entities to organizational resources with least privilege principles.

Authentication verifies the identity of end users that tries to access the system and we can deploy strong authentication using such as biometrics, smart cards, Kerberos tokens and PKI certificates to authenticate users. We can also use centralized identity management such as enterprise user security (oracle OID or Microsoft active directory) to manage users.

Authorization determines the user’s privileges and roles to access a system.